Defense in Depth Strategy in Microsoft Azure
In the modern world, security is a key factor determining an organization’s growth prospects. A company with a powerful security system is bound to garner customer trust and satisfaction. Au contraire, a company not investing enough in security systems could disappoint customers and degrade its base clientele. Microsoft Azure has a wealth of plans and strategies that enable its customers to protect information and authenticate access. The strategy to be discussed here is the defense-in-depth strategy. This could be very useful for students or working professionals appearing for the Azure Fundamentals (AZ-900) certification.
Zero Trust Model
The zero trust model is a strategy that eliminates the idea of trust in an organization’s network framework. This reduces the risk of data breaches by validating authenticity at every step. Zero Trust was created by John Kindervag for Forrester Research, based on the realization that conventional security models operate on the assumption that everything inside an organization’s network architecture is trustworthy. The Zero Trust model believes that every individual, regardless of his/her organization, is a potential threat to security unless he/she can verify and prove otherwise . Trust is not taken for granted based on the organization’s perimeter. This infers that the traditional ‘castle and moat’ network model which forbade external access to data was renovated to a resilient model providing a segmentation gateway permitting authenticated access only, irrespective of whether the client is from within the organization or not. This gateway achieved this by spawning a mobile micro perimeter that shielded the ‘protect surface’ (confidential data, assets, applications, and services). The Zero Trust Model, thus, paves the way for a layered security system allowing validation at each step to avoid data breaches.
What is Defense in Depth?
Defense in Depth is a security strategy that prevents data breaches and slows down unauthenticated attempts to access data by deploying an intense environment with 7 layers of protection and validation. As the CSO of Devolutions Martin Lemay has said, “just like an onion, an attacker would have to peel its way to the heart.”. This means that even if one layer of the security system is compromised, there would be 6 other lines of defense.
Microsoft deploys the Defense in Depth strategy in both its on-premise datacenters and in the Azure Cloud services. The principles that help define a security posture are confidentiality, integrity, and availability.
- Confidentiality-This pillar ensures that the ‘protect surface’ can be accessed only by those who have been granted direct/express permission.
- Integrity– A unique fingerprint of the data is created by using a one-way hashing algorithm. The receiver is then sent the hash. The goal of integrity is to preserve the data throughout the transmission. Therefore, after the recipient receives the hash, he/she can recalculate the original value of the hash and compare the values to detect data consistency.
- Availability-Data should be made available only to authentic users. Authentic users shouldn’t be denied access. This happens in a DDOS or a Distributed Denial of Service attack wherein even bona fide users are denied access.
Layers in Defense in Depth
Security in the Defense in Depth strategy is multi-layered. The ‘protect surface’ is stored in the core of this arrangement. This approach removes the dependence on just a single layer of security. Each layer is said to denote an individual principle of security.
|1||Data||Data encryption in Azure Blob Storage||Integrity|
|3||Compute||Regular application of OS and layered software patches||Availability|
|4||Network||Network security rules||Confidentiality|
|6||Identity and access||Azure Active Directory user authentication||Integrity|
|7||Physical security||Azure datacenter biometric access controls||Confidentiality|
1. Physical Security
This is the outermost shell of security that regulates physical access to the cloud/ data-center infrastructure. Microsoft Azure adheres to a well-architected security pipeline with data centers distributed globally. It adopts a layered approach to diminish any risks of physical penetration of clients’ data. Eligible personnel with legitimate causes(audit, compliance, etc.) and official identification only are granted permission to enter the facility. Permissions are granted only for a fixed portal, after which they expire and a new order of permission must be issued. The data center perimeter is under resilient CCTV surveillance. Visiting personnel need to reach a pre-defined access point to be eligible for entry. Heavily weaponed and rigorously trained security staff are posted on every access point to conduct background verifications of the visitor. Passing a two-factor authentication via biometrics is mandatory to permit the visitor to access only the section of the data center he/she is entitled to. Full body metal detection scans are conducted on the visitor before he/she can visit the designated floor heavily fitted with video cameras. All these safeguards are meant to ensure that the data is protected from unauthenticated access.
2. Identity and Access
This is the 2nd layer of Azure’s defense-in-depth strategy. Data, applications, and software at the front gate are protected with Azure’s identity and access management solutions. This layer ensures that access is granted to authentic users for only what’s needed and sign-in/log-in attempts are saved and validated. This is used to protect against malicious sign-in attempts and to safeguard credentials with risk-based access controls. Multi-factor authentication, single sign-on, and event audits are dynamic features of this layer.
One of the crucial parts of governing this many users is handled by the Azure active directory. A service like the Azure Privileged Identity management can be used to restrict or grant access to various resources over the azure ecosystem and more.
The perimeter is the 3rd layer of the defense-in-depth strategy. The perimeter is used to protect the data from large-scale network-based attacks. It is sometimes called a demilitarized zone. The perimeter is responsible for identifying network threats/attacks, alerting clients’ about a plausible breach, and eliminating risks/threats.DDoS (Distributed Denial-of-service) protection is used to filter large-scale attacks. Firewalls are put on the perimeter to detect malicious activity. They ensure that only desired traffic is directed into the network.
This is the 4th layer of the strategy. This targets limiting the network connectivity across all resources to allow only what’s required. This layer strives to limit communication between resources to prevent malware transmission. Inbound and outbound access is restricted/ limited and visitors are denied by default. Azure Virtual Networks also allow network isolation and security controls that could be leveraged on-premise networks.
Compute is the 5th layer of the defense in depth strategy. This layer ensures that all the compute resources are secured and that the user has complete control to minimize security issues. Azure also provides its users a confidential computing service. This provides a host of tools, services, and applications that the user could leverage in a virtualized environment. This prevents unauthorized access, regulatory compliance, and untrustworthy collaborations by blind processing.
The 6th layer of the defense in depth strategy aims to reduce risks and vulnerabilities associated with the application’s development lifecycle. This also seeks to integrate security features mandatorily with application development. Confidential information used or received from applications should be stored in a secure storage endpoint.
This is the innermost layer of the strategy. Attackers pose threats to data stored in databases, disks inside virtual machines, Software-as-a-service applications, and data manageable via the Azure cloud. Personnel storing and controlling access to data are responsible for ensuring that it’s properly secured. The regulatory requirements govern the processes that must be ordered to ensure the confidentiality, integrity, and availability of the data.